Firefox 148 Launches With AI “Kill Switch,” Major Security Fixes & New Web Safety Standard

Mozilla has rolled out Firefox 148, a significant update that introduces a long-anticipated “AI Controls” system, delivers critical security patches addressing high-risk vulnerabilities, and debuts a new web standard aimed at reducing one of the internet’s most persistent attack vectors.

The release reflects Mozilla’s ongoing effort to balance rapid adoption of artificial intelligence features with user privacy, transparency, and control—an increasingly central issue across the browser industry.

At the core of Firefox 148 is a new AI Controls panel, now integrated directly into the browser’s Settings menu. The feature allows users to either disable all artificial intelligence-powered functionality with a single switch or selectively manage individual tools.

This rollout fulfills a commitment made by Mozilla leadership in late 2025, when the company pledged that any integration of generative AI would remain strictly opt-in and transparent.

The new controls include a global option labeled “Block AI enhancements,” which prevents both current and future AI features from being activated. Mozilla has emphasized that this setting is persistent across updates—addressing a common criticism that software upgrades can quietly re-enable previously disabled features.

Users can also toggle specific AI capabilities, including:

• Automated webpage summaries and link previews
• AI-assisted tab grouping and organization
• Built-in translation tools
• Alt-text generation for images within PDFs
• Sidebar chatbot integrations with third-party AI systems

The chatbot integrations span several major platforms, including OpenAI’s ChatGPT, Anthropic’s Claude, Microsoft Copilot, Google Gemini, and Mistral’s Le Chat—highlighting Mozilla’s vendor-neutral approach.

Mozilla’s move comes amid broader scrutiny of how browsers and software platforms integrate AI.

In recent years, competitors such as Google Chrome and Microsoft Edge have embedded AI-driven features directly into search, browsing, and productivity tools—often with limited user visibility or control. Privacy advocates have increasingly called for clearer opt-in mechanisms, especially where AI systems may process browsing data or user-generated content.

Mozilla, which positions Firefox as a privacy-focused alternative, appears to be differentiating itself by prioritizing explicit user consent and granular configuration.

Industry analysts suggest the introduction of a universal “kill switch” could set a precedent for other vendors, particularly in regions with tightening digital privacy regulations.

Beyond AI, Firefox 148 marks a milestone in web security by becoming the first browser to implement the Sanitizer API, a standardized tool designed to combat cross-site scripting (XSS) attacks.

XSS vulnerabilities—regularly ranked among the most common and dangerous web security flaws—occur when attackers inject malicious scripts into otherwise trusted websites.

The newly introduced setHTML() method provides a safer alternative to the long-used innerHTML property, which has historically been a major source of vulnerabilities.

Key improvements include:

• Automatic removal of unsafe elements and attributes from HTML input
• Protection against embedded event handlers (such as malicious onclick code)
• Customizable rules for developers to define allowed content
• Compatibility with Trusted Types for stricter enforcement

Security experts have welcomed the move, noting that standardizing safer HTML insertion methods could significantly reduce the attack surface across modern web applications.

Firefox 148 also delivers a wide range of security fixes, several of which are classified as high severity.

Among the most critical are:

• CVE-2026-2758, CVE-2026-2795: Use-after-free vulnerabilities in the JavaScript engine and garbage collector, which could allow attackers to execute arbitrary code
• CVE-2026-2760, CVE-2026-2761, CVE-2026-2768: Sandbox escape flaws affecting components such as WebRender and IndexedDB, potentially enabling attackers to bypass browser isolation protections
• CVE-2026-2777: A privilege escalation issue within Firefox’s messaging system
• CVE-2026-2807, CVE-2026-2792, CVE-2026-2793: Multiple memory safety bugs, some involving memory corruption with potential exploitability
• CVE-2026-2757: A WebRTC vulnerability affecting boundary condition handling
• JavaScript JIT compilation flaws that could lead to data leakage or system compromise

Sandbox escape vulnerabilities are particularly concerning, as they undermine one of the browser’s core security mechanisms—isolating web content from the host system.

Mozilla has not indicated whether any of the vulnerabilities were actively exploited in the wild, but the company has urged users to update immediately.

In addition to security and AI updates, Firefox 148 introduces improvements aimed at accessibility and data management.

Notably, the browser now offers enhanced support for screen readers interpreting mathematical formulas in PDFs, a feature particularly relevant for students, researchers, and technical professionals.

Mozilla has also expanded the availability of Firefox Backup on Windows 10. The feature now works even when users enable automatic history clearing, with safeguards ensuring that data marked for deletion is excluded from backups.

Firefox 148 represents more than a routine update—it signals Mozilla’s strategic direction as it navigates an increasingly AI-driven internet landscape.

• Explicit user control over AI
• Adoption of new security standards
• Rapid patching of critical vulnerabilities

Mozilla is attempting to reinforce Firefox’s identity as a privacy-first, security-focused browser at a time when user trust is becoming a key differentiator.

Firefox updates typically install automatically in the background. However, users can manually verify their version by navigating to:

Menu → Help → About Firefox

This will trigger an update check and apply the latest version if it has not already been installed.

We recommend updating immediately to ensure protection against the patched vulnerabilities.